From Zero to Splunk: How to Install Splunk on a Linux VM in Minutes

When is a quick lab Splunk install useful?

There are a few cases where a quick lab Splunk install can work to your advantage. One instance would be when you have log files (or anything else that Splunk will ingest) that you need to quickly investigate, or to demonstrate for someone else how useful Splunk is for this sort of work. Another case is when you have data you need to onboard and want to experiment with configurations and apps to determine what you should deploy in production.

What should you be aware of when building this system?

When building this type of system, assume a very short lifetime – use a VM (or a cloud instance), test what you need to, and then throw the system away. This lab is intended to get Splunk up and running as quickly as possible, without focusing on configuration best practices or deployment strategies you should consider for a permanent deployment.

Note: If you’re reading this, you’ll probably want to play around with Splunk for a bit in a temporary environment.

Linux VM

For this lab, I’ve chosen a Ubuntu 16.04 instance hosted by Linode. These steps will be similar regardless of what distribution or provider you choose – you will just need SSH access to the Linux host to get started. The free tier offered by Amazon AWS is a great way to get started without having any upfront cost when experimenting.

Obviously, the low-cost cloud instances will be well below the minimum specifications for Splunk. As long as you are only working with a (very) small set of data, Splunk will still function in this type of environment, but you will likely notice degraded performance if you try and do any significant work on the system. That said, even the smallest cloud instances have been sufficient for most of the quick testing I have needed to do, but I tend to go with a larger machine when needing to work with anything more than a single sample file or two.

For this lab, the instance I’m using has a single CPU core and 2gb of RAM, with 30gb of SSD-backed storage. Definitely not something that should end up being your production Splunk instance!

3… 2… 1… GO! Time to install Splunk!

In this tutorial I will be showing you how to go from Zero to Splunk in just a couple mins. I’ll walk you through the steps and by the end you will know how to install Splunk on a Linux VM. Below you will find the video as well as the associated steps.

Step 1:

Before getting started make sure you confirm that you can SSH into the Linux system where you will be running the installation. In this instance, I have logged in as root directly.

Note: Splunk is designed to not need to run as root (and generally should not be run as root), since all of the ports it needs by default are above 1024 (this is why the web interface runs on 8000) out of the box.

Step 2:

Go to www.splunk.com and click the “Free Splunk” link in the upper right corner. Sign up for an account if you do not already have one; if you do have a Splunk account, click the login button and proceed to sign in.

Click the Free Splunk link in the upper right corner, and create an account or sign in

Step 3:

On the download page, choose the free download for Splunk Enterprise. This is the version of Splunk that you install on your own operating system.

Choose the Splunk Enterprise download

Step 4: 

Since we are installing this on Linux, click on Linux and then download the .tgz installer tarball.

We will select the .tgz installer for this step

Step 5:

The .tgz will begin downloading automatically (and you will receive an email, congratulating you for downloading Splunk). However, to save us from having to transfer the installer to your Linux machine, click the Download via Command Line (wget) link and copy it to the clipboard.

Step 6: 

In your Linux machine, cd into the /tmp directory using the cd /tmp command. Then paste the wget string copied from Splunk’s site. This will result in the installer being placed at /tmp/splunk-<version>-Linux-x86_64.tgz. This type of file is commonly referred to as a tarball.

Splunk installer download complete

Step 7: 

Navigate to the /opt directory with the command cd /opt.  Then extract the Splunk executable with the tar command.  This will include the path to and complete name of the file you just downloaded.  In my example, this looks like this: tar -zxf /tmp/splunk-7.0.0-c8a78efdd40f-Linux-x86_64.tgz

Note: Your file name will likely be different than mine since you will probably be using a newer version.

Tip: The Linux Bash shell supports tab completion, which is a great timesaver. You only need to type enough of a command or path to unambiguously identify the command or file you are looking to use. For example, if there are no other Splunk tarballs in the /tmp directly, you will probably only need to type /tmp/s followed by <tab> to have the shell automatically expand the rest of the name. Try it for yourself when you’re doing this step! Learn this trick and you will save a ton of time and look like a pro right away.

Step 8:

Now it’s time to start Splunk. Invoke the command /opt/splunk/bin/splunk start –accept-license and watch the output as your brand new Splunk installation comes to life.

Step 9: 

Verify that Splunk is running by using the ps ax command along with grep as follows: ps ax | grep splunk. This will filter down the results to only show lines that contain Splunk.  This shows you all of the Splunk processes (as well as the process for the grep command we’re running on the output, see the last line in the screenshot – you can ignore that). As long as you see more than just a line with grep –color=auto splunk, Splunk should be running successfully at this point.

Step 10: 

Open up your favorite web browser and navigate to the address of your new Splunk installation as follows: http://splunk.server.ip.addres… (replace this with the actual IP address or hostname of your Splunk server). If everything worked up to this point, you will be greeted with a Splunk Enterprise login screen.

Note: If the Splunkweb interface doesn’t load and you have confirmed that Splunk processes are working as expected, you may need to verify that there is not a firewall (either a network or a host-based one on your server) blocking your access to port 8000. Many corporate networks may not allow port 8000 out to the Internet by default.

Step 11: 

Login with the default credentials listed on the screen, admin and changeme. Upon clicking Sign In, you will have the opportunity to change the admin password. Please do so at this time.

Step 12: 

Congratulations! You’ve successfully installed Splunk and your deployment is ready to use.

Step 13: 

Since you don’t have any data at this point, you can verify that search is working by running a search in the internal index as follows: index=_internal (note the underscore in front of internal – that is important, since this is how Splunk identifies all of its internal indexes). You will probably be surprised by the amount of logs you already see in this index.

Now you can be an IT superhero!

As you can see, it’s really easy to quickly fire up a Splunk instance if you need it. With practice, you’ll be able to do this in just a few minutes – perfect for any time you need to be an IT Superhero.